Chinese government still sponsoring cyber-espionage, says FireEye COO

China is "a nation-state sponsoring intrusions into businesses in the US"

A year ago, Mandiant, since acquired by FireEye, issued a long report called "APT1" that accused China's People's Liberation Army of launching cyber-espionage attacks against 141 companies in 20 industries through a group known as "PLA Unit 61398" operating mainly from Shanghai.

In his keynote address at the RSA Conference, FireEye senior vice-president and chief operating officer, Kevin Mandia, provided an update on what happened after the report was published. "How did the Chinese government respond?" Mandia said. "We were hoping we'd see behavioural change."

The report provided in-depth evidence in technical detail about the cyber-attacks, Mandia said. The Chinese government, though, issued a carefully worded statement rejecting the findings.

"We did alter their behavior," Mandia said. The Chinese never again used the same attack infrastructure. And there was an overall "temporary hiatus" but that has again ramped up. China is "a nation-state sponsoring intrusions into businesses in the US," he said.

+ ALSO ON NETWORK WORLD Background: new report says cyberspying linked to China's military | Hot, new products at RSA +

While the "APT1" report is generally given credence in the US, it's worth noting that Chinese networking giant Huawei does not. "We just don't find the report to be credible at all," said a Huawei representative at the RSA conference this week.

While the US and China had been on track last year to discuss the prickly cyber-spying issue, those talks largely dissolved publicly when former NSA contractor, Edward Snowden, started feeding secret documents to the media that showed the US involved in mass surveillance on a global scale.

The US government claims to not conduct cyber-espionage for purposes of stealing trade secrets from foreign companies to share with American competitors. But foreigners who now believe their every move on the Internet is being tracked by the NSA aren't buying it.

The TrustyCon Conference held its first-ever event yesterday right across the street from the event sponsored by RSA, the security division of EMC. TrustyCon (the "Trustworthy Technology Conference") was organised by the Electronic Frontier Foundation and others in the past month after some speakers scheduled to appear at the RSA Conference angrily backed out after evidence came to light that RSA years ago had included a crypto algorithm in its crypto toolkit that most of the industry now believes to be an NSA backdoor.

This is viewed as a betrayal of trust, and TrustyCon was quickly devised as an alternative to the RSA Conference where speakers would discuss topics such as NSA mass surveillance. The TrustyCon event yesterday raised $20,000 for EFF, which said it would use the money to pursue efforts to fight NSA mass surveillance.

Chief research officer at F-Secure, Mikko Hypponen, delivered an eloquent presentation on the government surveillance topic at TrustyCon, more or less the one he would have delivered at the RSA Conference if he hadn't dropped out in protest.

Hypponen, whose company F-Secure is based in Finland, said the day has come when it's not only cyber-criminals writing malware but governments as well.

U.S. influence extends not only from its significant military might, where there's funding for cyberespionage and cyber weapons, but also from its market dominance in Internet-based services coming from the likes of American-based giants such as Google, Microsoft and Facebook, Hypponen said.

But fears that the U.S. is abusing its power to conduct Internet-based surveillance is leading to a backlash in Europe and South America, where anger over new stories about the NSA has other countries trying to come up with alternatives to anything connected to the U.S., Hypponen warned.

There are even questions as to whether U.S.-based anti-malware companies are shielding government-made malware, or would agree to not scan for it, Hypponen said. He pointed to how a Netherlands-based digital rights group called Bits of Freedom recently asked anti-malware vendors from across the world to publicly state whether they cooperate with any government-created malware effort by not scanning for government-created malware.

Hypponen said based on his tracking of this issue with Bits of Freedom, so far Symantec and McAfee haven't responded, though Microsoft responded by saying it didn't cooperate with any government to deliberately not scan government-made malware.

On the other hand, Hypponen said one good thing that seems to be happening is that one of the most well-known examples of what's believed to be government-created malware, Stuxnet, that was used in 2010 against Iranian nuclear facilities, is not known to have led to a copycat.

"We were really worried there would be copycats," said Hypponen. "I am glad we were wrong."

Today, security companies themselves are targets of attacks to steal information and compromise products -- perhaps not only from cyber-criminals out for financial gain but also governments that see security vendors as a backdoor path to cyberespionage.

RSA finally confronted the NSA backdoor scandal publicly this week when executive chairman Art Coviello used his keynote address to say RSA had been exploited by the NSA, which he said abused its position of trust. It was a stunning declaration that in some sense represents a turning point for the U.S. high-tech industry.

But for Hypponen, who lives in Finland and keenly feels his "foreigner" status making him and all other "foreigners" a target for NSA mass surveillance, there's clearly a feeling of ambivalence about whether RSA is really wiping the slate clean.

"They should have known better," says Hypponen, saying the world is left trying to decide whether RSA is guilty of collusion with the NSA over this backdoor or just "incompetence" in not realizing what was really happening.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylegalFireEyersa 2014Mandiantcybercrime

More about EFFElectronic Frontier FoundationEMC CorporationFacebookFireEyeF-SecureGoogleHuaweiIDGMcAfee AustraliaMicrosoftNSARSASymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place